Hi all,
Im searching for a solution on OpnSense to filter traffic by controlling the physical output interface.
My platform for test :
(https://i.postimg.cc/xCpZk4tq/Dessin2.png)
I want from my
LAN_1 ping
ANY on the
WAN but i don't want to ping the
LAN_2.
I can do this with 2 rules on OpnSense :
- Drop ICMP from LAN_1 to LAN_2
- Authorize ICMP from LAN_1 to ANY
But i''m searching for a solution with only 1 rule. For example, if i use Debian with forwarding, i can use iptables to do this with only one rule :
- iptables -A FORWARD -p ICMP -i ens34 -o ens32 -s 192.168.10.0/24 -j ACCEPT
With this rule, i can control the physical outside interface where the traffic is redirect (in orange the option).
Thank you
Lejaune
I'm almost sure it's not possible to check both incoming and outgoing interface to make a rule-based decision.
There is tagging support and you can filter in and out in two rules, but I think you need "match" feature for this which doesn't exist in FreeBSD pf(4).
Cheers,
Franco
Rule on LAN1: Source LAN1 subnet
Destination: tick (=not) + the LAN2 subnet
That means ICMP packets destined for anything other than LAN2 get accepted. Adjust to the protocols/ports you want to filter.
True, you can filter by subnets, but it's not a 100% substitute for filtering incoming and outgoing devices. At least the expectations need to be managed. :)
Cheers,
Franco
Thanks for the answer ! ;D